This is because a relying party cannot tell the difference between a user attempting to log in using his or her identifier, and the user's OpenID provider spoofing that user to gain access to whatever services the relying party provides to that user.
This is correct, yes. See this post: http://lists.openid.net/pipermail/openid-general/2008-July/014536.html Also see David Fuelling's work on MultiAuth.
-Shade _______________________________________________ security mailing list [email protected] http://lists.openid.net/mailman/listinfo/openid-security
